Christoph Hartmann Alex Pop Co-Creator InSpec, Engineering Director Twitter: @chri_hartmann Github: chris-rock Software Engineer Twitter: @al3xpop Github: alexpop
Agenda ● InSpec Overview ● Project Community Update ● Demo 1: Profile and Control Improvements ● Demo 2: Extensions and Integrations ● InSpec Outlook ● Q & A
InSpec Overview ● Show of hands ● Open-source framework with: ○ a simple language to describe tests ○ local & remote execution engine ○ flexible reporting ● Used primarily for infrastructure and compliance testing
Cloud Platform Support ● Integrated in Azure Shell, Part of Azure Policy's Guest Configuration ● Integrated into AWS EC2 Run Command ● InSpec integrates with PowerClI
Platform Resources are managed in Resource Packs Profile 1 Profile 2 Resource Pack ● Resource improvements are managed independently from InSpec’s runtime ● Easier to support new platforms ● Makes management of runtime independent from the the user of the runtime
InSpec Outlook ● Priorities are based on issues and community feedback ● Identified areas for improvement ○ Simplified usage of resource packs ○ Improved resource lifecycle handling (alpha, stable, deprecated) ○ Ensure consistent behaviour for unavailable resources ○ Improve profile inheritance with namespaced attributes ○ Centralized deprecation behavior across inspec
Plugins ● Support for InSpec CLI and Platform plugins ○ CLI https://github.com/inspec/inspec-iggy ○ Backend https://github.com/inspec/train-digitalocean ● Resource Packs for Platforms ○ https://github.com/chris-rock/inspec-digitalocean ● See https://github.com/inspec/inspec/issues/3089 for more details
Unified attributes (2/2) Attributes are defined in the inspec.yml: attributes: - name: user default: alice required: true See https://github.com/inspec/inspec/issues/3176
Skip overhaul ● "Skip" is currently used to identify cases where a control cannot run: ○ The user doesn't want it to run when inheriting the profile Example: Use your colleague's AWS profile but skip all controls that test S3. ○ The control isn't run when certain conditions are met. For example don't test MySQL if it isn't installed. ○ A control is skipped if it uses resources that are not supported on the target system. For example looking for a "package" when testing an API. ● See https://github.com/inspec/inspec/issues/3158 for more details
Severity Prior to InSpec 3, severity was a numerical value that is implicitly scaled as: 0.0 Informational <0.4 Minor controls <0.7 Major controls <=1.0 Critical controls We can now be more descriptive and use the CVSS values: low, medium, high, critical See https://github.com/inspec/inspec/issues/562 control 'one' do impact 1.0 control 'one' do impact 'critical'
Multiple description types (1/2) We often see descriptions like the following in our controls: desc ' This is a very long description. Rational: Why we do this… Fixtext: How to fix it… ' This doesn’t expose the context of the description, e.g. the “rational” or “fixtext”.
Multiple description types (2/2) By using an identifier for the descriptions, users can provide more context: desc ' This is a very long description. ' desc 'rational': 'Why we do this...' desc 'fixtext' : 'How to fix it...' See https://github.com/inspec/inspec/issues/1695
chrisrock
ymty
kthrtty
mii3king
kawaguti
yoshikieguchi
ohmori_yusuke
x_ttyszk
yoyoyopg
hankehly
yoyakoba
convto
microcms
nonsquared
ddemaree
myddelton
mongodb
brianwarren
lara
marcelosomers
danielanewman
jonyablonski
afnizarnur
roundedbygravity
akosma